240 likes | 360 Views
Introduction to SMV. Useful Links. CMU Model checking homepage http://www.cs.cmu.edu/~modelcheck/ SMV windows version http://www.cs.cmu.edu/~modelcheck/smv.html#nt SMV man page (must read) http://www.cs.cmu.edu/~dongw/smv.txt SMV manual http://www.cs.cmu.edu/~modelcheck/smv/smvmanual.ps.
E N D
Useful Links • CMU Model checking homepagehttp://www.cs.cmu.edu/~modelcheck/ • SMV windows versionhttp://www.cs.cmu.edu/~modelcheck/smv.html#nt • SMV man page (must read)http://www.cs.cmu.edu/~dongw/smv.txt • SMV manualhttp://www.cs.cmu.edu/~modelcheck/smv/smvmanual.ps
Symbolic Model Verifier • Ken McMillan, Symbolic Model Checking: An Approach to the State Explosion Problem, 1993. • Finite-state Systems described in a specialized language • Specifications given as CTL formulas + fairness, safety, liveness, deadlock • Internal representation using OBDDs • Automatically verifies specification or produces a counterexample
Language Characteristics • Allows description of synchronous and asynchronous systems • Modularized and hierarchical descriptions • Finite data types: Boolean and enumerated • Nondeterminism
Variable Assignments • Assignment to initial state: init(value) := 0; • Assignment to next state (transitionrelation)next(value) := value + carry_in mod 2; • Assignment to current state (invariant)carry_out := value & carry_in; • Use either init-next or invariant - never both • SMV is a parallel assignment language
A Sample SMV Program MODULE main VAR request: boolean; state: {ready, busy}; ASSIGN init(state) := ready; next(state) := case state=ready & request: busy; 1: {ready, busy}; esac; SPEC AG(request -> AF (state = busy))
The Case Expression • case is an expression, not a statement • Guards are evaluated sequentially. • The first one that is true determines the resulting value • If none of the guards are true, an arbitrary valid value is returned • Always use an else guard!
Nondeterminism • Completely unassigned variable can model unconstrained input. • {val_1, …, val_n} is an expression taking on any of the given values nondeterministically. • Use union when you have expressions rather than values • Nondeterministic choice can be used to: • Model an implementation that has not been refined yet (e.g., abstract models of complex protocols) • Abstract behavior
Types • Boolean • 1 is true and 0 is false • Enumerated • VAR a : {red, blue, green}; b : {1, 2, 3}; c : {1, 5, 7};ASSIGN next(b) := case b<3 : b+1; 1 : 1; esac; • Numerical operations must be properly guarded • User can define its own data structures
ASSIGN and DEFINE • VARa: boolean;ASSIGNa := b | c; • declares a new state variable a • becomes part of invariant relation • DEFINEd:= b | c; • is effectively a macro definition, each occurrence of d is replaced by b | c • no extra BDD variable is generated for d • the BDD for b | c becomes part of each expression using d • not possible to provide non-determinism
Next • Expressions can refer to the value of a variable in the next state • Examples: • VAR a,b : boolean;ASSIGN next(b) := !b; a := next(b); • ASSIGN next(a) := !next(b)(a is the negation of b, except for the initial state) • Disclaimer: different SMV versions differ on this
Assignment Errors • Next/current value of a variable is assigned more than once (process) • Initial value of a variable is assigned more than once (program) • Initial/Current value of a variable are both assigned (program) • Current/Next value of a variable are both assigned (program) • Circular assignments
Circular definitions • … are not allowed! • This is illegal: • a := next(b);next(b) := c;c := a; • This is o.k. • init(a) := 0;next(a) := !b;init(b) := 1;next(b) := !a;init(c) := 0;next(c) := a & next(b);
Modules and Hierarchy • Modules can be instantiated many times, each instantiation creates a copy of the local variables • Each program has a module main • Scoping • Variables declared outside a module can be passed as parameters • Internal variables of a module can be used in enclosing modules (submodel.varname). • Parameters are passed by reference.
MODULE main VARbit0 : counter_cell(1); bit1 : counter_cell(bit0.carry_out); bit2 : counter_cell(bit1.carry_out); SPEC AG AF bit2.carry_out MODULE counter_cell(carry_in) VARvalue : boolean; ASSIGN init(value) := 0; next(value) := value + carry_in mod 2; DEFINEcarry_out := value & carry_in;
Module Composition • Synchronous composition • All assignments are executed in parallel and synchronously. • A single step of the resulting model corresponds to a step in each of the components. • Asynchronous composition • A step of the composition is a step by exactly one process. • Variables, not assigned in that process, are left unchanged.
Asynchronous Composition MODULE main VARgate1: process inverter(gate3.output); gate2: process inverter(gate1.output); gate3: process inverter(gate2.output); SPEC(AG AFgate1.output) SPEC (AG AF!gate1.output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) := 0; next(output) := !input;
Counterexamples -- specification AG AF (!gate1.output) is false -- as demonstrated by the following execution state 2.1: gate1.output = 0 gate2.output = 0 gate3.output = 0 state 2.2: [executing process gate1] -- loop starts here -- state 2.3: gate1.output = 1 [stuttering]
Asynchronous Composition (Revisited) MODULE main VARgate1: process inverter(gate3.output); gate2: process inverter(gate1.output); gate3: process inverter(gate2.output); SPEC(AG AFgate1.output) SPEC (AG AF!gate1.output) MODULE inverter(input) VAR output: boolean; ASSIGN init(output) := 0; next(output) := !input union output;
Example: Mutual Exclusion Module user VAR state : {idle, entering, critical, exiting}; ASSIGN init(state) := idle next(state) := case state = idle : {idle, entering}; state = entering & ! semaphore : critical; state = critical : {critical, exiting}; state = exiting : idle; 1 : state; esac; next(semaphore) := case state = entering : 1; state = exiting : 0; 1 : semaphore; esac; Module main VAR semaphore : boolean; proc1 : process user; proc2 : process user; ASSIGN init(semaphore) := 0; SPEC AG !(proc1.state = critical) SPEC AG !(proc2.state = critical) SPEC AG(proc1.state=entering -> AF proc1.state=critical)
Run SMV • smv [options] inputfile • -c cache-size • -k key-table-size • -m mini-cache-size • -v verbose • -r • prints out statistics about reachable state space • -checktrans • checks whether the transition relation is total
SMV Options • –f • computes set of reachable states first • Model checking algorithm traverses only the set of reachable states instead of complete state space. • useful if reachable state space is a small fraction of total state space
Variable Reordering • Variable reordering is crucial for small BDD sizes and speed. • Generally, variables which are related need to be close in the ordering. • –i filename –o filename • Input, output BDD variable ordering to given file. • -reorder • Invokes automatic variable reordering